An intrusion prevention system (IPS) is a network security tool (which can be a hardware device or software) that continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur.
It is more advanced than an intrusion detection system (IDS), which simply detects malicious activity but cannot take action against it beyond alerting an administrator. Intrusion prevention systems are sometimes included as part of a next-generation firewall (NGFW) or unified threat management (UTM) solution. Like many network security technologies, they must be powerful enough to scan a high volume of traffic without slowing down network performance.
An intrusion prevention system is placed inline, in the flow of network traffic between the source and destination, and usually sits just behind the firewall. There are several techniques that intrusion prevention systems use to identify threats:
- Signature-based: This method matches the activity to signatures of well-known threats. One drawback to this method is that it can only stop previously identified attacks and won’t be able to recognize new ones.
- Anomaly-based: This method monitors for abnormal behavior by comparing random samples of network activity against a baseline standard. It is more robust than signature-based monitoring, but it can sometimes produce false positives. Some newer and more advanced intrusion prevention systems use artificial intelligence and machine learning technology to support anomaly-based monitoring.
- Policy-based: This method is somewhat less common than signature-based or anomaly-based monitoring. It employs security policies defined by the enterprise and blocks activity that violates those policies. This requires an administrator to set up and configure security policies.
Once the IPS detects malicious activity, it can take many automated actions, including alerting administrators, dropping the packets, blocking traffic from the source address, or resetting the connection. Some intrusion prevention systems also use a “honeypot,” or decoy high-value data, to attract attackers and stop them from reaching their targets.
There are several types of IPS, each with a slightly different purpose:
- Network intrusion prevention system (NIPS): This type of IPS is installed only at strategic points to monitor all network traffic and proactively scan for threats.
- Host intrusion prevention system (HIPS): In contrast to a NIPS, a HIPS is installed on an endpoint (such as a PC) and looks at inbound and outbound traffic from that machine only. It works best in combination with a NIPS, as it serves as a last line of defense for threats that have made it past the NIPS.
- Network behavior analysis (NBA): This analyzes network traffic to detect unusual traffic flows, such as DDoS (Distributed Denial of Service) attacks.
- Wireless intrusion prevention system (WIPS): This type of IPS simply scans a Wi-Fi network for unauthorized access and kicks unauthorized devices off the network.
An intrusion prevention system offers many benefits:
- Additional security: An IPS works in tandem with other security solutions, and it can identify threats that those other solutions can’t. This is particularly true of systems that use anomaly-based detection. It also provides superior application security thanks to a high level of application awareness.
- Increased efficiency for other security controls: Because an IPS filters out malicious traffic before it reaches other security devices and controls, it reduces the workload for those controls and allows them to perform more efficiently.
- Time savings: Since an IPS is largely automated, it requires less of a time investment from IT teams.
- Compliance: An IPS fulfills many of the compliance requirements set forth by PCI DSS, HIPAA, and others. It also provides valuable auditing data.
- Customization: An IPS can be set up with customized security policies to provide security controls specific to the enterprise that uses it.
There are several reasons why an IPS is a key part of any enterprise security system. A modern network has many access points and deals with a high volume of traffic, making manual monitoring and response an unrealistic option. (This is particularly true when it comes to cloud security, where a highly connected environment can mean an expanded attack surface and thus greater vulnerability to threats.) In addition, the threats that enterprise security systems face are growing ever more numerous and sophisticated. The automated capabilities of an IPS are vital in this situation, allowing an enterprise to respond to threats quickly without placing a strain on IT teams. As part of an enterprise’s security infrastructure, an IPS is a crucial way to help prevent some of the most serious and sophisticated attacks.
It is important to remember that an IPS is only one part of a robust security solution—it needs to work with other technology for maximum effectiveness. In fact, intrusion prevention systems are often offered as one capability of a unified threat management or next-generation firewall solution, although they can also be standalone offerings. In a typical security architecture, the IPS usually sits just behind the firewall and works in tandem with it to provide an extra level of security and catch threats that the firewall can’t catch on its own. An IPS also helps protect other security controls from attack, as well as improving performance for those controls by filtering out malicious traffic before it reaches them. Most importantly, an IPS provides an additional layer of security by identifying and filtering out threats that other parts of the security infrastructure can’t detect.